| // Copyright 2017 The Chromium Authors |
| // Use of this source code is governed by a BSD-style license that can be |
| // found in the LICENSE file. |
| |
| #ifndef BSSL_PKI_COMMON_CERT_ERRORS_H_ |
| #define BSSL_PKI_COMMON_CERT_ERRORS_H_ |
| |
| #include "fillins/openssl_util.h" |
| |
| #include "cert_errors.h" |
| |
| // This file contains the set of "default" certificate errors (those |
| // defined by the core verification/path building code). |
| // |
| // Errors may be defined for other domains. |
| namespace bssl::cert_errors { |
| |
| // An internal error occurred which prevented path building or verification |
| // from finishing. |
| OPENSSL_EXPORT extern const CertErrorId kInternalError; |
| |
| // The verification time is after the certificate's notAfter time. |
| OPENSSL_EXPORT extern const CertErrorId kValidityFailedNotAfter; |
| |
| // The verification time is before the certificate's notBefore time. |
| OPENSSL_EXPORT extern const CertErrorId kValidityFailedNotBefore; |
| |
| // The certificate is actively distrusted by the trust store (this is separate |
| // from other revocation mechanisms). |
| OPENSSL_EXPORT extern const CertErrorId kDistrustedByTrustStore; |
| |
| // The certificate disagrees on what the signature algorithm was |
| // (Certificate.signatureAlgorithm != TBSCertificate.signature). |
| OPENSSL_EXPORT extern const CertErrorId kSignatureAlgorithmMismatch; |
| |
| // Certificate verification was called with an empty chain. |
| OPENSSL_EXPORT extern const CertErrorId kChainIsEmpty; |
| |
| // The certificate contains an unknown extension which is marked as critical. |
| OPENSSL_EXPORT extern const CertErrorId kUnconsumedCriticalExtension; |
| |
| // The target certificate appears to be a CA (has Basic Constraints CA=true) |
| // but is being used for TLS client or server authentication. |
| OPENSSL_EXPORT extern const CertErrorId kTargetCertShouldNotBeCa; |
| |
| // The certificate is being used to sign other certificates, however the |
| // keyCertSign KeyUsage was not set. |
| OPENSSL_EXPORT extern const CertErrorId kKeyCertSignBitNotSet; |
| |
| // The chain violates the max_path_length from BasicConstraints. |
| OPENSSL_EXPORT extern const CertErrorId kMaxPathLengthViolated; |
| |
| // The certificate being used to sign other certificates has a |
| // BasicConstraints extension, however it sets CA=false |
| OPENSSL_EXPORT extern const CertErrorId kBasicConstraintsIndicatesNotCa; |
| |
| // The certificate being used to sign other certificates does not include a |
| // BasicConstraints extension. |
| OPENSSL_EXPORT extern const CertErrorId kMissingBasicConstraints; |
| |
| // The certificate has a subject or subjectAltName that violates an issuer's |
| // name constraints. |
| OPENSSL_EXPORT extern const CertErrorId kNotPermittedByNameConstraints; |
| |
| // The chain has an excessive number of names and/or name constraints. |
| OPENSSL_EXPORT extern const CertErrorId kTooManyNameConstraintChecks; |
| |
| // The certificate's issuer field does not match the subject of its alleged |
| // issuer. |
| OPENSSL_EXPORT extern const CertErrorId kSubjectDoesNotMatchIssuer; |
| |
| // Failed to verify the certificate's signature using its issuer's public key. |
| OPENSSL_EXPORT extern const CertErrorId kVerifySignedDataFailed; |
| |
| // The certificate encodes its signature differently between |
| // Certificate.algorithm and TBSCertificate.signature, but it appears |
| // to be the same algorithm. |
| OPENSSL_EXPORT extern const CertErrorId kSignatureAlgorithmsDifferentEncoding; |
| |
| // The certificate verification is being done for serverAuth, however the |
| // certificate lacks serverAuth in its ExtendedKeyUsages. |
| OPENSSL_EXPORT extern const CertErrorId kEkuLacksServerAuth; |
| |
| // The certificate verification is being done for clientAuth, however the |
| // certificate lacks clientAuth in its ExtendedKeyUsages. |
| OPENSSL_EXPORT extern const CertErrorId kEkuLacksClientAuth; |
| |
| // The root certificate in a chain is not trusted. |
| OPENSSL_EXPORT extern const CertErrorId kCertIsNotTrustAnchor; |
| |
| // The chain is not valid for any policy, and an explicit policy was required. |
| // (Either because the relying party requested it during verificaiton, or it was |
| // requrested by a PolicyConstraints extension). |
| OPENSSL_EXPORT extern const CertErrorId kNoValidPolicy; |
| |
| // The certificate is trying to map to, or from, anyPolicy. |
| OPENSSL_EXPORT extern const CertErrorId kPolicyMappingAnyPolicy; |
| |
| // The public key in this certificate could not be parsed. |
| OPENSSL_EXPORT extern const CertErrorId kFailedParsingSpki; |
| |
| // The certificate's signature algorithm (used to verify its |
| // signature) is not acceptable by the consumer. What constitutes as |
| // "acceptable" is determined by the verification delegate. |
| OPENSSL_EXPORT extern const CertErrorId kUnacceptableSignatureAlgorithm; |
| |
| // The certificate's public key is not acceptable by the consumer. |
| // What constitutes as "acceptable" is determined by the verification delegate. |
| OPENSSL_EXPORT extern const CertErrorId kUnacceptablePublicKey; |
| |
| // The certificate's EKU is missing serverAuth. However Netscape Server Gated |
| // Crypto is present instead. |
| OPENSSL_EXPORT extern const CertErrorId kEkuLacksServerAuthButHasGatedCrypto; |
| |
| // The certificate's EKU is missing serverAuth. However EKU ANY is present |
| // instead. |
| OPENSSL_EXPORT extern const CertErrorId kEkuLacksServerAuthButHasAnyEKU; |
| |
| // The certificate's EKU is missing clientAuth. However EKU ANY is present |
| // instead. |
| OPENSSL_EXPORT extern const CertErrorId kEkuLacksClientAuthButHasAnyEKU; |
| |
| // The certificate's EKU is missing both clientAuth and serverAuth. |
| OPENSSL_EXPORT extern const CertErrorId kEkuLacksClientAuthOrServerAuth; |
| |
| // The certificate's EKU has OSCP Signing when it should not. |
| OPENSSL_EXPORT extern const CertErrorId kEkuHasProhibitedOCSPSigning; |
| |
| // The certificate's EKU has Time Stamping when it should not. |
| OPENSSL_EXPORT extern const CertErrorId kEkuHasProhibitedTimeStamping; |
| |
| // The certificate's EKU has Code Signing when it should not. |
| OPENSSL_EXPORT extern const CertErrorId kEkuHasProhibitedCodeSigning; |
| |
| // The certificate does not have EKU. |
| OPENSSL_EXPORT extern const CertErrorId kEkuNotPresent; |
| |
| // The certificate has been revoked. |
| OPENSSL_EXPORT extern const CertErrorId kCertificateRevoked; |
| |
| // The certificate lacks a recognized revocation mechanism (i.e. OCSP/CRL). |
| // Emitted as an error when revocation checking expects certificates to have |
| // such info. |
| OPENSSL_EXPORT extern const CertErrorId kNoRevocationMechanism; |
| |
| // The certificate had a revocation mechanism, but when used it was unable to |
| // affirmatively say whether the certificate was unrevoked. |
| OPENSSL_EXPORT extern const CertErrorId kUnableToCheckRevocation; |
| |
| // Path building was unable to find any issuers for the certificate. |
| OPENSSL_EXPORT extern const CertErrorId kNoIssuersFound; |
| |
| // Deadline was reached during path building. |
| OPENSSL_EXPORT extern const CertErrorId kDeadlineExceeded; |
| |
| // Iteration limit was reached during path building. |
| OPENSSL_EXPORT extern const CertErrorId kIterationLimitExceeded; |
| |
| // Depth limit was reached during path building. |
| OPENSSL_EXPORT extern const CertErrorId kDepthLimitExceeded; |
| |
| } // namespace net::cert_errors |
| |
| #endif // BSSL_PKI_COMMON_CERT_ERRORS_H_ |